Fluid Attacks Database

Description

ReDoS in Sec-Websocket-Protocol header

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();
...

Patches

The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to [email protected] (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and [email protected] (https://github.com/websockets/ws/commit/76d47c1479002022a3e4357b3c9f0e23a68d4cd2).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	ws	<=5.2.3 \|\| >=6.0.0 <6.2.2 \|\| >=7.0.0 <7.4.6	7.4.6, 6.2.2, 5.2.3
debian 11	node-ws	>=0 <7.4.2+~cs18.0.8-2	7.4.2+~cs18.0.8-2
debian 14	node-ws	>=0 <7.4.2+~cs18.0.8-2	7.4.2+~cs18.0.8-2
debian 13	node-ws	>=0 <7.4.2+~cs18.0.8-2	7.4.2+~cs18.0.8-2
debian 12	node-ws	>=0 <7.4.2+~cs18.0.8-2	7.4.2+~cs18.0.8-2

Aliases

1. CVE-2021-326402. NVD-2021-326403. OSV-2021-326404. OSV-DEBIAN-2021-326405. GHSA-6fc8-4gx4-v6936. GCVE-2021-326407. SECURITY-TRACKER-CVE-2021-32640

References

1. https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v6932. https://github.com/websockets/ws/issues/18953. https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff4. https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E5. https://security.netapp.com/advisory/ntap-20210706-0005

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.